def check_tasks_list_acl(pools):
"""Checks if the caller is allowed to list or count tasks.
Checks if the caller has global permission using acl.can_view_all_tasks().
If the caller doesn't have any global permissions,
It checks realm permission 'swarming.pools.listTasks'.
The caller is required to specify pools, and have the permission
in *all* pools.
Args:
pools: List of pools for filtering.
Returns:
None
Raises:
auth.AuthorizationError: if the caller is not allowed.
"""
# check global permission.
if acl.can_view_all_tasks():
return
_check_pools_filters_acl(realms_pb2.REALM_PERMISSION_POOLS_LIST_TASKS,
pools)
def check_bot_tasks_acl(bot_id):
"""Checks if the caller is allowed to get the tasks assigned to the bot.
Checks if the caller has global permission using acl.can_view_all_tasks().
If the caller doesn't have any global permissions,
It checks realm permission 'swarming.pools.listTasks'.
The caller is required to have the permission in *any* pools.
Args:
bot_id: ID of the bot.
Returns:
None
Raises:
auth.AuthorizationError: if the caller is not allowed.
"""
# check global permission.
if acl.can_view_all_tasks():
return
# check Realm permission 'swarming.pools.listTasks'
_check_bot_acl(realms_pb2.REALM_PERMISSION_POOLS_LIST_TASKS, bot_id)
def test_ip_whitelisted(self):
self.mock(auth, 'is_in_ip_whitelist', lambda _name, _ip, _warn: True)
self.assertTrue(acl.is_ip_whitelisted_machine())
self.assertTrue(acl.can_access())
self.assertFalse(acl.can_view_config())
self.assertFalse(acl.can_edit_config())
self.assertFalse(acl.can_create_bot())
self.assertTrue(acl.can_edit_bot())
self.assertTrue(acl.can_delete_bot())
self.assertTrue(acl.can_view_bot())
self.assertTrue(acl.can_create_task())
self.assertFalse(acl.can_schedule_high_priority_tasks())
self.assertTrue(acl.can_edit_task(self._task_owned))
self.assertTrue(acl.can_edit_task(self._task_other))
self.assertFalse(acl.can_edit_all_tasks())
self.assertTrue(acl.can_view_task(self._task_owned))
self.assertTrue(acl.can_view_task(self._task_other))
self.assertFalse(acl.can_view_all_tasks())
def test_instance_admin(self):
auth_testing.mock_is_admin(self, True)
self.assertFalse(acl.is_ip_whitelisted_machine())
self.assertTrue(acl.can_access())
self.assertTrue(acl.can_view_config())
self.assertTrue(acl.can_edit_config())
self.assertTrue(acl.can_create_bot())
self.assertTrue(acl.can_edit_bot())
self.assertTrue(acl.can_delete_bot())
self.assertTrue(acl.can_view_bot())
self.assertTrue(acl.can_create_task())
self.assertTrue(acl.can_schedule_high_priority_tasks())
self.assertTrue(acl.can_edit_task(self._task_owned))
self.assertTrue(acl.can_edit_task(self._task_other))
self.assertTrue(acl.can_edit_all_tasks())
self.assertTrue(acl.can_view_task(self._task_owned))
self.assertTrue(acl.can_view_task(self._task_other))
self.assertTrue(acl.can_view_all_tasks())
def test_nobody(self):
auth_testing.mock_get_current_identity(self, auth.Anonymous)
self.assertFalse(acl.is_ip_whitelisted_machine())
self.assertFalse(acl.can_access())
self.assertFalse(acl.can_view_config())
self.assertFalse(acl.can_edit_config())
self.assertFalse(acl.can_create_bot())
self.assertFalse(acl.can_edit_bot())
self.assertFalse(acl.can_delete_bot())
self.assertFalse(acl.can_view_bot())
self.assertFalse(acl.can_create_task())
self.assertFalse(acl.can_schedule_high_priority_tasks())
self.assertFalse(acl.can_edit_task(self._task_owned))
self.assertFalse(acl.can_edit_task(self._task_other))
self.assertFalse(acl.can_edit_all_tasks())
self.assertFalse(acl.can_view_task(self._task_owned))
self.assertFalse(acl.can_view_task(self._task_other))
self.assertFalse(acl.can_view_all_tasks())
def test_view_all_tasks(self):
self._add_to_group('view_all_tasks')
self.assertFalse(acl.is_ip_whitelisted_machine())
self.assertTrue(acl.can_access())
self.assertFalse(acl.can_view_config())
self.assertFalse(acl.can_edit_config())
self.assertFalse(acl.can_create_bot())
self.assertFalse(acl.can_edit_bot())
self.assertFalse(acl.can_delete_bot())
self.assertFalse(acl.can_view_bot())
self.assertFalse(acl.can_create_task())
self.assertFalse(acl.can_schedule_high_priority_tasks())
self.assertTrue(acl.can_edit_task(self._task_owned))
self.assertFalse(acl.can_edit_task(self._task_other))
self.assertFalse(acl.can_edit_all_tasks())
self.assertTrue(acl.can_view_task(self._task_owned))
self.assertTrue(acl.can_view_task(self._task_other))
self.assertTrue(acl.can_view_all_tasks())
def test_nobody(self):
self.mock(auth, 'get_current_identity',
lambda: auth.IDENTITY_ANONYMOUS)
self.assertFalse(acl.is_ip_whitelisted_machine())
self.assertFalse(acl.can_access())
self.assertFalse(acl.can_view_config())
self.assertFalse(acl.can_edit_config())
self.assertFalse(acl.can_create_bot())
self.assertFalse(acl.can_edit_bot())
self.assertFalse(acl.can_delete_bot())
self.assertFalse(acl.can_view_bot())
self.assertFalse(acl.can_create_task())
self.assertFalse(acl.can_schedule_high_priority_tasks())
self.assertFalse(acl.can_edit_task(self._task_owned))
self.assertFalse(acl.can_edit_task(self._task_other))
self.assertFalse(acl.can_edit_all_tasks())
self.assertFalse(acl.can_view_task(self._task_owned))
self.assertFalse(acl.can_view_task(self._task_other))
self.assertFalse(acl.can_view_all_tasks())
def can_list_tasks(pool):
"""Checks if the caller is allowed to list tasks of the pool.
Args:
pool: Pool name
Returns:
allowed: True if allowed, False otherwise.
"""
if acl.can_view_all_tasks():
return True
pool_cfg = pools_config.get_pool_config(pool)
if not pool_cfg:
logging.warning('Pool "%s" not found', pool)
return False
try:
_check_permission(
get_permission(realms_pb2.REALM_PERMISSION_POOLS_LIST_TASKS),
[pool_cfg.realm])
return True
except auth.AuthorizationError:
return False
